b'                                                OFFICE OF INSPECTOR GENERAL\n                                                                         MEMORANDUM\n\n\n\n\nDATE:          March 4, 2003\n\nTO:            Chairman\n\nFROM:          Inspector General\n\nSUBJECT: Report on the Follow-up Audit on Auction Physical Security at the Portals Site\n\nThe Office of Inspector General (OIG) has completed a Follow-up Audit on Auction Physical\nSecurity at the Portals Site. A copy of our Report, entitled \xe2\x80\x9cReport on Follow-up Audit on\nAuction Physical Security at the Portals Site\xe2\x80\x9d (Audit Report No. 02-AUD-03-11), is attached.\nThe objective of this audit was to determine the current status of conditions identified in Audit\nReport No. 99-11, entitled \xe2\x80\x9cReport on Auctions Physical Security at the Portals site\xe2\x80\x9d and issued\non September 28, 1999.\n\nTo accomplish the objectives of this follow-up audit, we contracted with the consulting firm of\nJob Performance Systems, (JPS). Under our supervision, JPS first reviewed the status of each\ncondition as reported by FCC management. The JPS review team conducted a site visit to the\nFCC Headquarters, interviewed staff, reviewed documentation, and performed other tests\ndeemed necessary. Finally, JPS evaluated the status of each finding.\n\nAll thirty one (31) findings in the original audit were reviewed. The follow-up audit identified\nseven (7) findings as open during the audit period. Of the seven (7) open findings, two (2) are\nrated as high risk, three (3) as medium risk, and two (2) as low risk. These findings have been\nopen for over three years. Five (5) are dependent on action by the General Services\nAdministration (GSA) and one (1) on activity by Republic Properties (the lessor of the\nCommission\xe2\x80\x99s Portals facility).\n\nWe recommend that the problems we identified be corrected to strengthen the Commission\xe2\x80\x99s\nphysical security program. Our recommendations will correct present problems and minimize\nthe risk that future security problems will occur. All open findings contained in the attached\nreport will be tracked for reporting purposes.\n\nAppendix A of the attached report is a summary of all open audit findings. Appendix B of the\n\x0cattached report is a summary of all original conditions, open and closed. Appendix C contains\nthe detailed results of our audit.\n\nIn a response dated February 20, 2003, the Office of Managing Director (OMD) indicated\nconcurrence with the five of the open findings and recommendations and outlined the corrective\nplanned. For the remaining two findings, OMD undertook corrective action and considers those\nitems to be completed. We concur with OMD\xe2\x80\x99s assessment for those two findings and consider\nthem to be closed. We have included a copy of this response in its entirety as Appendix D to this\nreport.\n\nBecause of the sensitive nature of the information contained in the appendices to this report, we\nhave classified all as, \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal FCC Use Only\xe2\x80\x9d and have severally limited\ndistribution. Those persons receiving this report are requested not to photocopy or otherwise\ndistribute this material.\n\nIf you have any questions, please contact Thomas Bennett, Assistant Inspector General for\nAudits at (202) 418-0477.\n\n\n\n\n                                             H. Walker Feaster III\n                                             Inspector General\n\n\nAttachments\n\ncc:    Chief of Staff\n       Managing Director\n       Chief, Wireless Telecommunications Bureau\n       AMD \xe2\x80\x93 PERM\n\x0c  Federal Communications Commission\n       Office of Inspector General\n\n\n\n\nReport on Follow-up Audit on Auction Physical Security\n                  at the Portals Site\n\n\n\n\n                 Report No. 02-AUD-03-11\n                      March 4, 2003\n\x0c                    TABLE OF CONTENTS\n\n                                                           Pa\n\n\nEXECUTIVE SUMMARY                                      2\n\n\nBACKGROUND                                             4\n\n\nOBJECTIVE                                              4\n\n\nSCOPE                                                  5\n\n\nOBSERVATIONS                                           5\n\n\nAPPENDIX A                 Open Findings Summary     A-1\n\n\nAPPENDIX B                 Listing of All Findings   B-1\n\n\nAPPENDIX C                 Detailed Findings         C-1\n\n\nAPPENDIX D                 Management Response       D-1\n\n\n\n\n                            1\n\x0cExecutive Summary\n\nOn September 28, 1999, the Office of Inspector General (OIG) issued Audit Report No. 99-\n11 entitled \xe2\x80\x9cReport on Auctions Physical Security at the Portals Site.\xe2\x80\x9d This report\nsummarized the results of an audit of the physical security for the Commission\xe2\x80\x99s Auctions\nsite located at the Portals II building in Washington, DC. The auction site was moved to the\nPortals II building when the Commission moved its headquarters operation there in 1998.\nThe objective of the original audit was to determine whether the Portals II facility had\nsufficient security safeguards to protect Auctions system data. Specifically, the review\nfocused on physical, procedural, and administrative safeguards. The 1999 report noted that\nsignificant improvements could be made to increase the security of the Auctions facility at\nPortals II. The original report contained thirty one (31) findings and the review team\nconcluded substantial physical improvements can be made to more effectively secure the\nPortals II building and the Auctions facility. The Commission concurred with all of the\nreported findings and developed corrective action plans to address the findings.\n\nThe objective of this audit was to determine which findings from the original audit were\nclosed and which were open. To accomplish this objective, the OIG established an audit\nteam with representatives from Job Performance Systems, Inc. (JPS) to perform the follow-\nup audit on the Auctions physical security findings from the original report. All thirty one\n(31) findings in the original audit were reviewed. To achieve our objective, the audit team\nfirst reviewed the status of each condition in the original report as reported by FCC\nmanagement. To determine the appropriateness of the reported status and the current status\nof conditions, the review team conducted fieldwork from June 4, 2002 through August 28,\n2002. JPS conducted a review at the FCC\xe2\x80\x98s Portals II Headquarters on June 4, 2002 through\nJune 7, 2002 to review conditions. An additional site visit was conducted by JPS on July 26,\n2002 to follow-up on two conditions. The status of general control conditions, which\naddressed physical, procedural, and administrative safeguards, were determined through staff\ninterviews, review of documentation, and other tests deemed necessary as provided by the by\nthe Office of the Managing Director (OMD) and the Wireless Telecommunications Bureau\n(WTB).\n\nThe guideline for performing this audit was the U.S. Department of Justice document, titled\n\xe2\x80\x9cVulnerability Assessment of Federal Facilities\xe2\x80\x9d (DOJ Report), issued June 28, 1995. This\nreport enunciated Department of Justice building security standards developed after the\nOklahoma City Murrah Federal Building disaster. Additional guidance was received from\nthe U.S. General Accounting Office (USGAO), report number, T-GGD-98-141, \xe2\x80\x9cGeneral\nServices Administration: Many Building Security Upgrades Made but Problems Have\nHindered Program Implementation\xe2\x80\x9d, issued June 4, 1998 and other security documents such\nas in Office of Management and Budget (OMB) Circular A-130, the Computer Security Act\nof 1987, FCC Directive: FCCINST 1479.1, and Presidential Decision Directive (PDD) 63\nentitled \xe2\x80\x9cCritical Infrastructure Protection.\xe2\x80\x9d\n\nIncluded in our follow-up audit were the thirty one (31) conditions identified in Audit Report\nNo. 99-11. Of the thirty one conditions reviewed, seven (7) were determined to have an\n\xe2\x80\x98open\xe2\x80\x99 status and twenty-four (24) with a \xe2\x80\x98closed\xe2\x80\x99 status. Included in the conditions is one\n\n\n\n                                              2\n\x0c(1) finding that had been reported to Commission management as closed prior to this audit.\nAs a result of our audit, this condition has been re-opened. On August 28, 2002, we held an\nexit conference and met with representatives from the OMD and WTB to discuss the\npreliminary findings. OMD and WTB provided informal written and verbal comments.\n\nIn a response dated February 20, 2003, the Office of Managing Director (OMD) indicated\nconcurrence with the five of the open findings and recommendations and outlined the\ncorrective planned. For the remaining two findings, OMD undertook corrective action and\nconsiders those items to be completed. We concur with OMD\xe2\x80\x99s assessment for those two\nfindings and consider them to be closed. We have included a copy of this response in its\nentirety as Appendix D to this report.\n\n\n\n\n                                             3\n\x0cBackground\n\nOn September 28, 1999, the OIG issued Audit Report No. 99-11 entitled \xe2\x80\x9cReport on\nAuctions Physical Security at the Portals Site\xe2\x80\x9d summarizing the results of an audit of the\nphysical security for the Auctions site, which was relocated to the Portals. The objective of\nthis audit was to determine whether the FCC\xe2\x80\x99s Portals facility has sufficient security\nsafeguards to protect Auctions system data. Specifically, the review focused on physical,\nprocedural, and administrative safeguards.\n\nThe 1999 report noted that significant improvements can be made to increase the security of\nthe Auctions facility at Portals II. The original report contained thirty-one (31) findings and\nthe review team concluded substantial physical improvements can be made to more\neffectively secure the Portals II building and the Auctions facility. The Commission\nconcurred with all of the reported findings and developed corrective action plans to address\nthe findings.\n\nThe guideline for performing this audit was the U.S. Department of Justice document, titled\n\xe2\x80\x9cVulnerability Assessment of Federal Facilities,\xe2\x80\x9d issued June 28, 1995. This report\nenunciated Department of Justice building security standards developed after the Oklahoma\nCity Murrah Federal Building disaster.\n\nAdditional guidance was received from the following resources:\n\n\xc2\x84   Presidential Decision Directive (PDD) 63, entitled \xe2\x80\x9cCritical Infrastructure Protection.\xe2\x80\x9d\n\xc2\x84   OMB Circular A-130, entitled \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d as\n    revised on November 30, 2000.\n\xc2\x84   The Computer Security Act of 1987 (PL 100-235).\n\xc2\x83   FCC Instruction 1479.2, \xe2\x80\x9cComputer Security Program Directive.\xe2\x80\x9d\n\xc2\x83   U.S. General Accounting Office, report number, T-GGD-98-141, \xe2\x80\x9cGeneral Services\n    Administration: Many Building Security Upgrades Made but Problems Have Hindered\n    Program Implementation,\xe2\x80\x9d issued June 4, 1998.\n\nObjective\n\nThe purpose of this audit was to determine the current status of the conditions found in OIG\nReport No. 99-11. This report summarized the results of an audit of the physical security for\nthe Auctions site, which was relocated to the Portals. The results of this audit were\nsummarized in report Audit Report No. 99-11 entitled \xe2\x80\x9cReport on Auctions Physical Security\nat the Portals Site,\xe2\x80\x9d issued on September 28, 1999.\n\nTo achieve our objective, the audit team first reviewed the status of each condition as\nreported by FCC management. To determine the appropriateness of the reported status and\nthe current status of conditions, the review team conducted site visits to the Portals II\nbuilding at the FCC Headquarters. The status of audit conditions, which addressed control\nareas of physical, procedural, and administrative safeguards, were determined through\nwalkthroughs, staff interviews, review of documentation, and other tests deemed necessary.\n\n\n\n                                               4\n\x0cScope\n\nThe scope of this engagement consisted of control weaknesses identified in the OIG\xe2\x80\x99s prior\nreport Audit Report No. 99-11 entitled \xe2\x80\x9cReport on Auctions Physical Security at the Portals\nSite,\xe2\x80\x9d issued on September 28, 1999. The scope of this task order was to determine which\nfindings from the prior audit were closed or open. For closed findings, the contractor\nperformed appropriate tests to determine if the closed status was appropriate. For findings\nreported as open, the contractor determined if the condition still existed and if the open status\nwas still appropriate.\n\nThe review team conducted site visits from June 3, 2002 through August 28, 2002. A site\nreview at the Portals II building and the Auctions facility at FCC Headquarters in\nWashington, DC was conducted on from June 3, 2002 through June 6, 2002. An additional\nsite visit was conducted on July 27, 2002. An exit conference was conducted on August 28,\n2002.\n\nIn total, thirty one (31) conditions were reviewed. Our objective was to determine the\nappropriateness of the status of conditions reported by FCC management and determine\nwhich findings from the audit were closed and which were open.\n\nOur procedures were designed to comply with applicable auditing standards and guidelines,\nincluding Generally Accepted Government Auditing Standards (GAGAS).\n\nObservations\n\nThe original audit of Auctions physical security identified findings in the areas of physical,\nprocedural, and administrative safeguards. Included in our follow-up audit were thirty-one\n(31) conditions identified in Audit Report No. 99-11. Of the thirty one conditions that were\nreviewed, the audit identified seven (7) conditions with an \xe2\x80\x98open\xe2\x80\x99 status and twenty-four (24)\nwith a \xe2\x80\x98closed\xe2\x80\x99 status. Represented in the open conditions is one (1) finding that at the time\nof our audit which had been reported to Performance Evaluation and Records Management\n(PERM) of OMD as resolved by FCC management prior to this follow-up. As a result, this\ncondition has been re-opened.\n\nEach finding has been categorized by risk ratings of \xe2\x80\x98High,\xe2\x80\x99 \xe2\x80\x98Medium,\xe2\x80\x99 or \xe2\x80\x98Low\xe2\x80\x99. In\nassigning ratings, we evaluated each finding to determine potential degree of exposure to\nFCC based on the following risk ratings.\n\n        High Risk: Security risk can cause a business disruption, if exploited.\n\n        Medium Risk: Security risk in conjunction with other events can cause a business\n        disruption, if exploited.\n\n        Low Risk: Security risk may cause operational annoyances, if exploited.\n\n\n\n\n                                                5\n\x0cOf those conditions determined to have an open status, two (2) were classified as having high\nlevels of risk, three (3) as medium levels of risk, and two (2) as low risk levels in the original\naudit.\n\nThese seven (7) findings have been open for over three years. Six (6) depend on activities\nfrom organizations other than the FCC for closure. Five (5) are dependent on action by the\nGeneral Services Administration (GSA) and one (1) on activity by Republic Properties (the\nlessor of the Commission\xe2\x80\x99s Portals facility).\n.\n\nDuring the review, FCC management took proactive measures to investigate the conditions\nwe initially identified as open and initiated steps to resolve those conditions. As applicable,\nwe have noted such corrective actions in our report.\n\nAppendix A of this report provides the Auctions Physical Security Follow-up- Findings\nSummary which lists all open conditions identified during fieldwork. The report entitled\nAuctions Physical Security Follow-up \xe2\x80\x93 Summary of Findings is included as Appendix B.\nThis report summarizes all conditions, both open and closed, identified during the follow-up\nAppendix C of the report, entitled Auctions Physical Security Follow-up - Detailed Findings,\nprovides detailed information on the conditions identified during fieldwork. Included with\nthe narrative are photographs that illustrate the open conditions or the corrective actions\ntaken. The report also indicates corrective actions reported to have been taken during our\naudit by FCC management to resolve conditions initially determined to have an open status.\n\nIn a response dated February 20, 2003, the Office of Managing Director (OMD) indicated\nconcurrence with the five of the open findings and recommendations and outlined the\ncorrective planned. For the remaining two findings, OMD undertook corrective action and\nconsiders those items to be completed. We concur with OMD\xe2\x80\x99s assessment for those two\nfindings and consider them to be closed. We have included a copy of this response in its\nentirety as Appendix D, entitled Findings and Recommendations \xe2\x80\x93 OMD Response.\n\nIn accordance with the Commission\xe2\x80\x99s directive on the management of non-public\ninformation, we have classified all appendices as \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only.\xe2\x80\x9d\nThose persons receiving this report are expected to follow the established policies and\nprocedures for managing and safeguarding this report in accordance with the Commission\ndirective.\n\n\n\n\n                                                6\n\x0c'